b"SEC.gov |  Contingency Plans for PABX and Datacenter\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat's New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nContingency Plans for PABX and Datacenter\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nContingency Plans for PABX and Datacenter\nAudit Report No. 226 July 31, 1995\nSUMMARY\nWe are making a number of recommendations to enhance Commission disaster recovery capabilities.  The most significant of these are: development and testing of complete and up-to-date disaster recovery plans for the mainframe, networks, PABX, and EDGAR (Recommendations A, C, E, and H); installation of Stratus computers at headquarters to provide a disaster recovery capability for EDGAR (Recommendation D); obtaining back-up power for the headquarters file servers and PABX (Recommendation G); and development of a business recovery plan for the Commission (Recommendation M).\nThe Offices of Information Technology, Administrative and Personnel Management, and the Executive Director provided comments on a draft of this report (attached).  Generally, they concurred with our recommendations.\nOBJECTIVES, SCOPE, AND METHODOLOGY\nOur objective was to evaluate the adequacy of the Commission's disaster recovery capabilities.  The audit scope included mainframe computers and environmental controls at the Operations Center and headquarters data centers; the Private Automated Branch Exchange (PABX) and Electronic Data Gathering and Retrieval (EDGAR) systems; and file servers at the headquarters data center.\nDuring the audit, we interviewed staff from the Offices of Information Technology (OIT); Administrative and Personnel Management (OAPM); and the Executive Director.  We reviewed relevant documentation and observed selected environmental controls.\nThe audit was performed between February and May 1995 in accordance with generally accepted government auditing standards.\nBACKGROUND\nThe Commission's Operations Center in Alexandria, Virginia, has primary responsibility for mainframe and EDGAR operations.  The data center at headquarters provides a limited mainframe back-up capability, and also houses network file servers and the Private Automated Branch Exchange (PABX) telephone system.  The data centers are linked to each other and regional offices through communication lines.\nThe OIG observed testing of the headquarters mainframe in a prior audit (No. 208).\nThe Office of Information Technology has primary responsibility for Commission computer operations.  The Office of Administrative and Personnel Management has responsibility for the PABX.\nAUDIT RESULTS\nMAINFRAME AND NETWORK DISASTER RECOVERY\nDisaster Recovery Plans\nThe Office of User Support Services and the Office of Operations within OIT have developed separate, but overlapping, disaster recovery plans.  User Support Services' plan is not stored off-site, reducing its accessibility.  The plans are not complete and up-to date.\nRecommendation A\nOIT should develop one disaster recovery plan which is complete and up-to-date, after consultation with affected offices.  Copies of the plan should be stored off-site.\nRisk Assessments\nOIT has not performed a risk assessment of the Operations Center.  A risk assessment is needed to identify vulnerabilities and evaluate appropriate safeguards.\nRecommendation B\nOIT should perform a risk assessment of the Operations Center.\nTesting\nThe two plans have not been periodically tested, because of other priorities.  User Support Services' plan was last tested in November 1994, while Operations' was tested in June 1994.  Since June, Operations has implemented a major system upgrade.\nRecommendation C\nOIT should test and update its disaster recovery plan(s) periodically.  Other offices should participate in the tests, as appropriate.\nEDGAR\nDisaster recovery\nOIT recently acquired additional Stratus mini-computers.  After testing them, it plans to install them in headquarters, thereby providing a disaster recovery capability for EDGAR.  OIT has not yet developed an EDGAR disaster recovery plan.\nRecommendation D\nOIT should test and install the Stratus mini-computers, as planned.\nRecommendation E\nOIT should develop a disaster recovery plan for EDGAR, after consultation with affected offices.\nRe-solicitation\nThe EDGAR contract will be re-solicited in 1997.  The new contract should provide for a continued disaster recovery capability.\nRecommendation F\nOIT should require the next EDGAR contractor to provide a disaster recovery capability.\nHEADQUARTERS PABX AND FILE SERVERS\nBack-up power\nCurrently, the PABX and file servers at headquarters do not have a back-up power source in the event of a power interruption. A generator is available, but it is not in operating condition.  Unlike the mainframe, the PABX and file servers do not have an alternative site.\nRecommendation G\nOAPM should put the generator in operating condition.\nDisaster recovery plan\nOAPM has not yet developed a contingency plan for the PABX.  The Appendix contains suggestions for the contents of a plan.\nRecommendation H\nOAPM should develop and test a PABX contingency plan, after consultation with affected offices.\nENVIRONMENTAL CONTROLS\nWater\nWater has leaked into the Operations Center computer room from a drain pipe on the floor above.  An ice machine and sink share the same drain, which periodically clogs.  Water can damage computers and cause electrical shocks.\nRecommendation I\nOAPM should prevent further leaks into the Operations Center computer room, for example, by relocating the sink and ice machine.\nTraffic Reports\nOAPM has installed a system for monitoring traffic on the PABX.  Review of this information can help ensure that the PABX's capacity is sufficient.\nRecommendation J\nOAPM should review PABX traffic reports.\nMaintenance Logs\nOAPM does not keep maintenance logs for the PABX and environmental control equipment.  Maintenance logs help ensure that required maintenance is performed.\nRecommendation K\nOAPM should keep maintenance logs for its PABX and environmental control equipment.\nBlueprints\nIn the event of a disaster, OAPM would need to consult blueprints of the headquarters and Operations Center facilities.  To ensure that blueprints are readily available, a copy should be stored off-site.\nRecommendation L\nOAPM should store a copy of the headquarters and Operations Center blueprints off-site.\nOTHER MATTERS\nThe Commission does not have a business recovery plan for its overall operation (as opposed to just its computer operations) in the event of a major disaster.  This plan would help ensure that the Commission's programs are promptly and effectively restored after a disaster.  The plan would explain what should be done, and who should do it.\nRecommendation M\nThe Office of the Executive Director should develop a business recovery plan for the Commission, as resources permit.  It should consult with other Commission offices and divisions.\nAPPENDIX\nThe following elements should be included in the PABX contingency plan:\na) OAPM should document in their contingency procedures the location and phone numbers of all analog lines in the Headquarters and Operations Center buildings for possible use in the event of a main PABX failure.  Additionally:\n- OAPM should ensure that an adequate number of analog phones can be readily obtained/available to use these lines.\n- Existing users of these analog lines should be informed that these lines may be taken away in the event of an emergency to restore Commission telephone support capabilities.\n- Arrangements should be made among program offices for the use of analog lines located in other program offices.\nb) OAPM should ensure that vendor contact information such as switch manufacturer, contract support providers, the D.C. and Virginia phone companies, and cellular phone providers, and equipment inventory is periodically updated in the plan.\nOAPM should also include contact information that can assist the telecommunications staff in the event of a catastrophic disaster (For example, it may include GSA's NSEP Division).\nc) OAPM should work with program offices to determine the minimal number of telephone numbers/lines needed at headquarters, Operations Center and Annex to support program office continuity in the event of a PABX communications failure/unavailability and include this in their contingency plan.\nd) OAPM should document in their contingency plan the procedures to be used to notify/forward calls to new Commission numbers.\ne) Copies of PABX manuals, and identification numbers of Central Office to PABX and inter-switch trunk lines should be maintained at both the Operations Center and at headquarters. The location of manuals and the identification of lines should be in the contingency plan.\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us"